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(54) Credit card system and method 

(57) A credit card system (100) is provided which 
has the added feature of providing additional limited-use 
credit card numbers (126) and/or cards. These numbers 
and/or cards can be used for a single transaction, there- 
by reducing the potential for fraudulent reuse of these 
numbers and/or cards. The credit card system finds ap- 



plication to "card remote" transactions such as by phone 
or Internet (112). Additionally, when a single use credit 
card is used for "card present" transactions, so called 
"skimming" fraud is eliminated. Various other features 
enhance the credit card system which will allow secure 
trade with the use of elaborate encryption techniques. 
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Description 

{0001] This invention relates to a credit card system 
and method, and more particularly, to a credit card sys- 
tem and method offering reduced potential of credit card 5 
number misuse. 

[0002] The development of retail electronic com- 
merce has been relatively slow in spite of the perceived 
demand for such trade. The single greatest deterrent to 
the expansion of retail electronic commerce is the po- io 
tential for fraud. This potential for fraud has been a major 
concern for the credit card companies and financial in- 
stitutions as well as the customers and the providers of 
the goods and services. 

[0003] The former are concerned about fraud be- '5 
cause essentially the financial institutions have to bear 
the initial cost of the fraud. Additionally, the credit card 
companies have an efficient credit card system which is 
working well for face to face transactions, i.e., "card 
present" transactions where the credit card is physically 20 
presented to a trader and the trader can obtain the credit 
card number, compare signatures and in many cases 
photographs before accepting a particular credit card. 
[0004] The latter are equally concerned about fraud 
being well aware that ultimately the user must pay for 25 
the fraud. However, there are particular personal con- 
cerns for the consumer in that the fraudulent use of the 
credit card by misuse of the credit card number by a third 
party may not become apparent for some time. This can 
happen even if the card is still in his or her possession. 30 
Further, when fraud does occur the consumer has the 
task of persuading the credit card provider that fraud by 
another did indeed occur. 

[0005] There is also the additional fear of being over- 
charged on a credit card. There are thus particular risks 35 
for those credit card holders who have relatively high 
spending limits, in that if fraud should occur, it may be 
some considerable time before it is detected. One par- 
ticular form of fraud referred to as "skimming" is partic- 
ularly diffrcult to control. 40 
What happens is that the card holder proffers his or her 
card at an establishment to make a transaction, the rel- 
evant information is electronically and/or physically cop- 
ied from the card and the card is subsequently repro- 
duced. This can be a particular problem with travelers 
particularly during an extensive period of travel as the 
fraudulent card may turn up in other places and it may 
be some considerable time before the fraud is detected. 
[0006] For remote credit card use, the credit card 
holder has to provide details of name, master credit card so 
number, expiration date and address and often many 
other pieces of infomr>ation for verification; the storing 
and updating of the information is expensive but neces- 
sary. This of itself is a considerable security risk as an- 
ybody will appreciate that this information could be used 55 
to fraudulently charge goods and services to the card 
holder's credit card account. Such fraudulent use is not 
limited to those people to whom the credit card informa- 



tion has been given legitimately, but extends to anybody 
who can illegitimately obtain such details. A major prob- 
lem in relation to this form of fraud is that the credit card 
may still be in the possession of the legitimate holder as 
these fraudulent transactions are taking place. This is 
often referred to as "compromised numbers" fraud. In- 
deed all this fraud needs is one dishonest staff member, 
for example in a shop, hotel or restaurant, to record the 
credit card number It is thus not the same as card theft. 
[0007] The current approaches to the limiting of credit 
card fraud are dependent on the theft of a card being 
reported and elaborate verification systems whereby al- 
tered patterns of use initiate some enquiry from the cred- 
it card company. Many users of credit cards have no 
doubt received telephone calls, when their use of the 
card has been exceptional, or otherwise unusual in the 
eyes of the organization providing the verification serv- 
ices. 

[0008] Thus, there have been many developments in 
an effort to overcome this fundamental problem of fraud, 
both in the general area of fraud for ordinary use of credit 
cards and for the particular problems associated with 
such remote use. 

[0009] One of the developments is the provision of 
smart cards which are credit card devices containing 
embedded electronic circuitry that can either store infor- 
mation or perform computations. Generally speaking 
they contribute to credit card security systems by using 
some encryption system. A typical example of such a 
smart card is disclosed in U.S. Patent No. 5,317,636 
(Vizcaino). 

[001 0] Another one of the developments is the Secure 
Electronic Transaction (SET) protocol which represents 
the collaboration between many leading computer com- 
panies and the credit card industry which is particularfy 
related to electronic transmission of credit card details 
and in particular via the Internet. It provides a detailed 
protocol for encryption of credit card details and verifi- 
cation of participants in an electronic transaction. 
[001 1] Another method that is particularly directed to 
the Internet is described in U.S. Patent No. 5,715,314 
(Payne el al.). U.S. Patent 5,715,314 discloses using an 
access message that comprises a product identifier and 
an access message authenticator based on a crypto- 
graphic key. A buyer computer sends a payment mes- 
sage that identifies a particular product to a payment 
computer. The payment computer is programmed to re- 
ceive the payment message, to create the access mes- 
sage, and to send the access message to a merchant 
computer. Because the access message is tied to a par- 
ticular product and a particular merchant computer, the 
access message can not be generated until the user 
sends the payment message to the payment computer. 
Because the access message is different from existing 
credit card formats, the access message is ill-suited for 
phone/mail orders and other traditional credit card trans- 
actions. 

[0012] There are then specific electronic transaction 
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systems such as "Cyber Cash," "Check Free" and "First 
Virtual." Unfortunately, there are perceived problems 
with what has been proposed to date. Firstly, any form 
of reliance on encryption is a challenge to those who will 
then try to break it. The manner in which access has 5 
been gained to extremely sensitive information in Gov- 
ernment premises would make anyone wary of any re- 
liance on an encryption system. Secondly, a further 
problem is that some of the most secure forms of en- 
cryption system are not widely available due to govern- io 
ment and other security requirements. Limiting the elec- 
tronic trading systems and security systems for use to 
the Internet is of relatively little use. While electronic 
commerce is perceived to be an area of high risk, in 
practice to date it is not. ts 
Additionally, various approaches have been taken to 
make "card present" transaction more attractive. For in- 
stance. Japanese Patent Publication No. Hei 6-282556 
discloses a one time credit card settlement system for 
use by, e.g., teenage children of credit card holders. This 20 
system employs a credit card which can be used only 
once in which various information such as specific per- 
sonal information, use conditions, and an approved 
credit limit identical to those of the original credit card 
are recorded on a data recording element and displayed 25 
on the face of the card. The one-time credit card con- 
tains the same member number, expiration date, card 
company code, and the like as on existing credit card, 
as well as one-time credit card expiration date not ex* 
ceeding the expiration date of credit card, available 30 
credit limit for the card, and the like. The one-time credit 
card makes use of some of the same settlement means 
as the conventional credit card. However, the system 
also requires use permission information to be recorded 
on the credit card, the information permitting the credit 35 
card to be used only once or making it impossible to use 
the credit card when the credit limit has been exceeded. 
A special card terminal device checks the information 
taken from the card for correctness and imparts use per- 
mission information for when the card is not permitted ^0 
to be used on the transmission to the credit card issuing 
company. The use permission information takes the 
form of a punched hole on the card itself. This system 
has obvious drawbacks, such as the card terminal hav- 
ing to be modified for additional functions (e.g.. punch- 45 
ing holes, delected punched holes, imparting additional 
information, etc.). Also, such a system offers little addi- 
tional security insofar as fraud can still be practiced per- 
haps by covering the holes or otherwise replacing the 
permission use information on the credit card. Further, 50 
such a system would require a change in nearly ail card 
terminal equipment if it were adopted, 
f0013] Patent Nos. 5,627,355 and 5,478,994 (Rah- 
man et al.) disclose another type of system that uses a 
plurality of pin numbers which are added to a credit card 55 
number on an electronic display. ti.S. Patent No. 
5,627.355 discloses a credit card having a memory el- 
ement containing a series of passwords in a predeter- 



mined sequence. These passwords are identical to an- 
other sequence stored in a memory of a host control 
computer. Further, the card contains a first fixed field 
containing an account number (e.g., "444 222 333"). In 
operation, the memory element of the credit card device 
provides a unique password from the sequence with 
each use of the credit card device. This permits verifi- 
cation by comparing the account number and the pass- 
word provided with each use of the device with the ac- 
count number and the next number in sequence as in- 
dicated by the host computer. The host computer deac- 
tivates the password after the transaction. Among the 
drawbacks with this type of system is the need for a pow- 
er supply, a display, a memory device, a sound genera- 
tor and the need to recycle a limited sequence of pin 
numbers. Such a system is not readily adapted to cur- 
rent credit card transactions because it lacks the ability 
of providing a check sum of the card number and cannot 
be read by a standard card reader. Also, if the card is 
lost or stolen, there is little to prevent a person from us- 
ing the card until it is reported to be lost or stolen by the 
correct holder. See, also, U.S. Patent No. 5,606,614 
(Brady et aL). 

[001 43 Other attempts have been made to make funds 
available to an individual, but with limitations. For exam- 
ple, U.S. Patent Nos. 5.350,906 (Brody et al.) and 
5,326,960 (Tannenbaum et al.) disclose issuing tempo- 
rary PINs for one time or limited time and limited credit 
access to an account at an ATM. These patents disclose 
a currency transfer system and method for an ATM net- 
work. In this system, a main account holder (i.e., the 
sponsor) sets up a subaccount that can be accessed by 
a non-subscriber by presenting a fixed limit card asso- 
ciated with the subaccount and by entering a password 
corresponding to the subaccount. Once the fixed limit is 
reached, the card can no longer be used. The fixed limit 
card contains information on its magnetic stripe pertain- 
ing to the sponsor account. 

[001 5] One of the problems with all these systems is 
that there are many competing technologies and there- 
fore there is a multiplicity of incompatible formats which 
will be a deterrent to both traders and consumers. Sim- 
ilarly, many of these systems require modifications of 
the technology used al the point of sale, which will re- 
quire considerable investment and further limit the up- 
take of the systems. 

[0016] Many solutions have been proposed to the 
problem of security of credit card transactions. However, 
none of them allow the use of existing credit cards and 
existing credit card formats and terminal equipment. 
Ideally, as realized by the present inventors, the solution 
would be to obtain the functionality of a credit card, while 
never in fact revealing the master credit card number. 
Unfortunately, the only way to ensure that master credit 
card numbers cannot be used fraudulently is to never 
transmit the master credit card number by any direct 
route, i.e. phone, mail, Internet or even to print out the 
master credit card number during the transaction, such 
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as is commonly the case at present. 
[0017] According to exemplary embodiments, the 
present invention is directed towards improving the ex- 
isting credit card system by providing a more secure way 
of using existing credit cards and in particular to provid- 5 
ing an improved way of using existing credit cards in re- 
mote credit card transactions. The present invention is 
further directed towards providing a more secure way of 
using existing credit cards generally which will not re- 
quire any major modifications to existing credit card sys- 
tems. It is further directed towards providing an im- 
proved credit card system that will be more user friendly 
and will provide customers with a greater confidence in 
the security of the system. 

[0018] Further the invention is directed towards pro- i5 
viding an improved credit card system, in one embodi- 
ment, that will not necessarily require the use of expen- 
sive and potentially fallible encryption systems. The 
present invention is also directed towards providing an 
improved credit card system which will enable a user to 20 
obtain the functionality of a credit card while never re- 
vealing the master credit card number. 
[0019] Further the invention is directed towards over- 
coming as far as possible the Incidence of skimming and 
compromise numbers frauds. 25 
[0020] These and other objects of the present inven- 
tion are satisfied by a first exemplary embodiment, 
which pertains to a credit card technique involving: 
maintaining a pool of credit card numbers which share 
identical formatting; assigning at least one credit card 30 
number from the pool of credit card numbers to be a 
master credit card number; assigning at least one credit 
card number from the pool of credit card numbers to be 
a limited-use credit card number which is deactivated 
upon a use-triggered condition subsequent; and asso- 35 
dating the master credit card number with the limited- 
use credit card number, while ensuring that the master 
credit card number cannot be discovered on the basis 
of the limited-use credit card number 
[0021] The technique further comprises: receiving no- 
tification that the limited-use credit card number has 
been used in a credit card transaction; determining 
whether a limited-use event has occurred based on the 
notification, and if so, generating a deactivation com- 
mand; and deactivating the limited-use credit card if a 45 
limited-use event has occurred, based on the deactiva- 
tion command which is generated upon a use-triggered 
condition subsequent. In one embodiment, the limited- 
use event is satisfied when the limited-use credit card 
is used only once. In another embodiment, the limited- so 
use event is satisfied when the limited-use credit card 
is used to accrue charges which are greater than a pre- 
scribed monetary amount, which are greater than a pre- 
scribed frequency of use, and/or a combination of use 
frequency, individual transaction amount and total 55 
amount. 

[0022] In one embodiment of the invention, the addi- 
tional limited-use credit card numbers are allocated au- 



tomatically as soon as the credit card holder uses more 
than a preset amount of limited-use credit card num- 
bers. The advantage of this is that the master credit card 
holder does not have to request the credit card numbers 
each time they are required. 

[0023] In another embodiment, a technique for per- 
forming a credit card transaction based on one of a mas- 
ter credit card number and a limited-use credit card 
number is provided, wherein the limited-use credit card 
number is randomly chosen with respect to the master 
credit card number, but the limited-use credit card 
number includes identical formatting to the master credit 
card number and is associated with the master credit 
card number The technique comprises: entering a 
transaction on the basis of the master credit card 
number or the limited-use credit card number to gener- 
ate a transaction message; and receiving the transac- 
tion message and processing the transaction. The step 
of processing the transaction includes: authorizing or 
denying the transaction; determining whether to deacti- 
vate the limited-use credit card number when the limit- 
ed-use credit card number was used to perform the 
transaction, and generating a deactivation command in 
response thereto, wherein the determining step deter- 
mines whether to deactivate the limited-use credit card 
number based on whether s limited-use event pertain- 
ing to the use of the limited-use credit card number has 
occurred, and if so. generates the deactivation com- 
mand when the limited-use event has occurred; and de- 
activating the limited-use credit card number based on 
the deactivation command. 

[0024] One advantage of the above-described tech- 
niques is that the credit card holder obtains the function- 
ality of a credit card without ever in fact revealing the 
master credit card number in the course of a transaction. 
More specifically, according to a preferred embodiment, 
there is no mathematical relationship between the lim- 
ited-use credit card number and the master credit card 
number This is attributed to the fact that the numbers 
are randomly selected from a queue of available limited- 
use credit card numbers based upon the requests and/ 
or needs of different customers. It is thus virtually inr>- 
possible to predict which customers are looking for num- 
bers at any time or how they will be allocated. 
[0025] Further, the technique can use a limited-use 
credit card number and hence the possibility of compro- 
mised numbers credit card fraud may be eliminated or 
at least greatly reduced. Additionally, in one embodi- 
ment of the credit card technique, a preset credit limit, 
etc. is allocated. Irrespective of how the trader behaves 
(for example, by fraudulently overcharging or providing 
additional goods) the total risk to the credit card holder 
is directly related to the preset credit limit, and thereby 
can be minimized. 

[0026] The foregoing, and other, objects, features and 
advantages of the present invention will be more readily 
understood upon reading the following detailed descrip- 
tion in conjunction with the drawings in which: 



4 



7 



EP 1 115 095 A2 



8 



Fig. 1 shows an exemplary system for implementing 
the present invention; 

Fig. 2 shows, in high-level form, the operation of the 
central processing station shown in Fig. 1 ; 5 



mon feature is that the limitation is based on a use-trig- 
gered condition subsequent, and not just the expiration 
date of the card. 

1. Overvtevy of System Features 



Fig. 3 is a flow chart illustrating an exemplary proc- 
ess for allocating credit card numbers; 

Fig. 4 is a flow chart illustrating an exemplary proc- 
ess for limiting the use of a credit card number; 

Fig. 5 is a flow chart illustrating an exemplary proc- 
ess for distributing credit card numbers: 

Fig. 6 is a flow chart illustrating an exemplary proc- 
ess for electronically using credit card numbers; 

Fig. 7 is a flow chart illustrating an exemplary proc- 
ess for processing a transaction; 

Fig. 8 is a flow chart illustrating another exemplary 
process for processing a transaction; and 

Fig. 9 is a flow chart illustrating an exemplary proc- 
ess for using a credit card number as a PIN number 

[0027] In this specification the term "credit card" refers 
to credit cards (MasterCard®, Visa®. Diners Club®, 
etc.) as well as charge cards (e.g., American Express®, 
some department store cards), debit cards such as us- 
able at ATMs and many other locations or that are as- 
sociated with a particular account, and hybrids thereof 
(e.g., extended payment American Express®, bank 
debit cards with the Visa® logo. etc.). Also, the terms 
"master credit card number" and "master credit card" re- 
fer to the credit card number and the credit card as gen- 
erally understood, namely, that which is allocated by the 
credit card provider to the customer for his or her ac- 
count- It will be appreciated that an account may have 
many master credit cards in the sense of this specifica- 
tion. For example a corporation may provide many of its 
employees with credit cards but essentially each of 
these employees holds a master credit card even if there 
is only one customer account. Each of these master 
credit cards will have a unique master credit card 
number, which set of master credit card numbers will be 
linked to the account. Similarly, in families, various 
members of the family may hold a master credit card all 
of which are paid for out of the one customer account, 
[0028] The term "limited-use" credit card number is 
used to encompass at least both the embodiment in 
which the credit card is designated for a single use. and 
the embodiment in which the credit card is designated 
for multiple uses providing that the charges accrued do 
not exceed a prescribed threshold or thresholds, such 
a total single charge, total charges over a limited time 
period, total charge in a single transaction, etc. A com- 



[0029] There are at least two basic different ways of 
carrying out the present invention. In summary, they are 
the allocation of additional credit card numbers for re- 

10 mote trade and secondly the provision of what are ef- 
fectively disposable credit cards for remote and card 
present trade, both of which have the feature of in the 
case of single use or in the case of multiple use. pro- 
tecting against the worst effects of compromised num- 

^5 bers fraud or skimming. 

[0030] In a refinement of the invention, it is possible 
to control the manner in which an actual transaction is 
carried out as a further protection against unscrupulous 
providers of goods and services. 

20 [0031] Essentially, there are certain matters that will 
be considered in relation to this invention. They are first- 
ly the operational or functional features in so far as they 
affect customers, and then there are the technical fea- 
tures, namely how the invention is implemented, how 

25 the invention is provided to the customers, and finally, 
how the invention is handled by the providers of goods 
and services and the processors of the credit cards, i. 
e., the financial institutions and/or their service provid- 
ers. 

30 [0032] The operational or functional features of this 
invention will be discussed first in the context of a stand- 
ard credit card system. 

[0033] One basic feature of the invention is to provide 
in a credit card system such that each master credit card 

35 holder could be provided with one or more of the follow- 
ing: 1) additional single use credit card numbers for re- 
mote transactions; 2) multiple use credit card numbers 
for remote transactions; 3) single use additional credit 
cards for remote and card present transactions; and 4) 

^0 multiple use credit cards for remote and card present 
transactions. 

[0034] It is also envisaged that in certain situations 
credit cards can be provided to people who do not have 
an account with any credit card company. This latter fea- 

45 lure is described in more detail below. Various other fea- 
tures may be provided in the above situations which will 
further improve the security of credit card transactions. 
[0035] Dealing firstly with the situation where a master 
credit card holder has an additional credit card number 

50 allocated to him or her for a single use, it will be appre- 
ciated that since the number can only be used for one 
single transaction, the fact that the number is in anybody 
else's hands is irrelevant as it has been deactivated and 
the master credit card number is not revealed to the third 

55 party. Various other features may be added to such sin- 
gle use credit card numbers, for example, the vatue of 
the transaction can be limited, thus the master credit 
card holder can have a plurality of single use credit card 
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numbers of differing values. For example, when a re- 
mote trade is carried out, the master credit card holder 
will use a credit card number which has a credit card 
limit only marginally above or equal to that of the value 
of the transaction. This would reduce the chances of or 
prevent an unscrupulous trader using the credit card 
number to supply additional goods or services over 
those ordered or to increase the agreed charge. 
[0036] A second embodiment of the invention pro- 
vides the master credit card holder with an additional 
credit card number for use in remote trade, which credit 
card number could have, as in the previous example of 
the invention, a credit limit for each specific transaction 
or a credit limit such that when the aggregate amount of 
a series of transactions exceeded a specific credit limit 
that the credit card number would be canceled, invali- 
dated or in some other way deactivated. Similarly, the 
multiple use credit card number could be limited to, for 
example, five uses with a credit limit not exceeding $100 
in each transaction and an aggregate credit limit not ex- 
ceeding $400. Similarly, a time restriction could be put 
on such a credit card number in that it would be deacti- 
vated if it was used with frequency above (or below) a 
given threshold, for example, more than once a week. 
It will be appreciated that the limits that can be placed 
on the use of a single use credit number or a multiple 
use credit card number are almost limitless and those 
having skill in the art will consider other ways in which 
the use of the credit card number could be limited, 
whether it be by time, by amount, frequency of use, by 
geographical region, or by purpose or use (such as lim- 
ited to Internet trade and so on), or by some combination 
of these separate criterion. 

[0037J The third way in which the invention could be 
carried out is by physically providing additional single 
use credit cards each of which would have a unique ad- 
ditional credit card number. Such additional single use 
credit cards could then be used both for remote trade 
by using the additional credit card numbers for respec- 
tive transactions, and for "card present" trade where 
each card would be "swiped" in the normal manner. 
Such a disposable credit card could be made like any 
common credit card, or from a relatively inexpensive 
material, such as cardboard or thin plastic, with the rel- 
evant information entered into it in readable (e.g., mag- 
netic) form, as is already the case with many forms of 
passes for use in public transport and the like. Again, 
substantially the same features as with the credit card 
number could be provided. Thus, for example, the dis- 
posable credit card could be limited to use geographi- 
cally, to a use, to an amount, to a frequency of use, to 
an expiration date, and so on. Again, those skilled in the 
art will appreciate that there are many variations to this 
concept. 

[0038] Another way of carrying out the invention is to 
provide a master credit card holder with a multiple use 
additional credit card, where the additional credit card 
provides any limitations as to use triggered conditions 



subsequent that may be desired. 
[0039] Ideally, irrespective of the manner in which the 
invention is carried out, the master credit card holder 
would be provided with either a plurality of single use 
5 additional credit card numbers or multiple use credit 
card numbers or a mixture of single and multiple use 
credits cards. 

[0040] It will be appreciated that with either single use 
credit card numbers or single use additional credit 

10 cards, it is possible to eliminate or reduce the risk of 
credit card number fraud. Further, depending on the 
credit limit imparted to the particular credit card number 
or additional credit card number or single use additional 
credit card, it is possible to further limit the possibilities 

^5 of fraud in any remote transaction and that with the use 
of a disposable single use credit card it is possible to 
eliminate or reduce the risk of skimming. 
[0041] With multiple use additional credit card num- 
bers and multiple use additional credit cards, the above- 

20 identified problems may not be totally eliminated due to 
preferences of the user. This is because, in certain cir- 
cumstances, credit card users may prefer to have, for 
example, an additional credit card number for remote 
trade with a specific credit limit that they use all the time 

25 and are willing to take the risk of compromised number 
fraud, in the sense that they can control the severity of 
this misuse. This would be particularly the case where 
some of the various user triggered conditions subse- 
quent limitations suggested above are used with the ad- 

30 ditional credit card number. Substantially the same cri- 
teria would apply to an additional multiple use credit 
card. 

[0042] Effectively, the present invention solves the 
problem by obtaining the functionality of a credit card 

35 while never in fact revealing the master credit card 
number as the master credit card number need never 
be given in a remote transaction. Further, the master 
credit card itself need never be given to a trader 
[0043] In another embodiment of the invention, it is 

40 envisaged that people who do not hold master credit 
cards could purchase disposable credit cards which 
would have a credit limit for the total purchases thereon 
equal to the amount for which the credit card was pur- 
chased. These could then be used for both card present 

45 and card remote trade, the only proviso being that if the 
credit limit was not reached it will then be necessary for 
a refund to be given by the financial institution or credit 
card provider. An obvious way of obtaining such a refund 
would be through an automatic teller machine (ATM). 

50 [0044] In this way, the existing credit card transaction 
system is employed and the card holder is given the con- 
venience of having a credit card. 
[0045] As an alternative, the above-discussed cards 
could be, in effect, debit cards in the true sense, in which 

55 funds are withdrawn against a customer's account. In 
this case, the "credit card" issued, whether it be a one 
time use card or multi-use card, and whether have a 
credit limit or not, would be used to debit the account 
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immediatefy. Preferably, the credit card issued in these 
circumstances would be single use with or without a 
transaction amount limit which would be used and proc- 
essed by the customer and merchant for a transaction 
as if it were a credit card, while in the customer's bank 
it would be treated like any other debit to the account. 

2. Exemplary implementation 

2.1 implementation overview 

[0046] Various aspects of the invention may be em- 
bodied in a general purpose digital computer that is run- 
ning a program or program segments originating from a 
computer readable or usable medium, such medium in- 
cluding but not limited to magnetic storage media (e.g., 
ROMs, floppy disks, hard disks, etc.), optically readable 
media (e.g., CD-ROMs, DVDs, etc.) and can-ier waves 
(e.g.. transmissions over the Internet). A functional pro- 
gram, code and code segments, used to implement the 
present invention can be derived by a skilled computer 
programmer from the description of the invention con- 
tained herein. 

(0047J Fig. 1 shows an exemplary overview of a sys- 
tem for implementing the limited-use credit card system 
of the present invention. The system 100 comprises a 
central processing station 102, which, accordingly to ex- 
emplary embodiments, may be operated by the credit 
card provider Generally, this station 102 receives and 
processes remotely generated credit card transactions. 
The credit card transactions can originate from a mer- 
chant in the conventional manner, e.g., by swiping a 
credit card through a card swipe unit 106. Alternatively, 
the credit card transaction requests can originate from 
any remote electronic (e.g., a personal computer) de- 
vice 104. These remote devices can interface with the 
central processing station 102 through any type of net- 
work, including any type of public or propriety networks, 
or some combination thereof. For instance, the personal 
computer 104 interfaces with the central processing sta- 
tion 102 via the Internet 112. Actually, there may be one 
or more merchant computer devices (not shown) which 
receive credit card transactions from the remote elec- 
tronic device 104, and then forward these requests to 
the central processing station 102. The central process- 
ing station 102 can also interface with other types of re- 
mote devices, such as a wireless (e.g., cellular tele- 
phone) device 140, via radiocommunication using trans- 
mitting/receiving antenna 138. 

[0048] The central processing station 102 itself may 
include a central processing unit 120, which interfaces 
with the remote units via network I/O unit 118. The cen- 
tral processing unit 120 has access to a database of 
credit card numbers 124, a subset 126 of which are des- 
ignated as being available for limited use (referred to as 
the '•available range"). Also, the centra! processing unit 
120 has access to a central database 122, referred to 
as a "conditions" database. This database is a general 



purpose database which stores information regarding 
customers* accounts, such as information regarding var- 
ious conditions which apply to each customers* account. 
Further, this database 122 may store the mapping be- 

5 tween a customer's fixed master credit card number and 
any outstanding associated limited-use credit cards, us- 
ing, for instance, some type of linked-list mechanism. 
Databases 122 and 124 are shown separately only to 
illustrate the type of information which may be main- 

^0 lained by the central processing station 102; the infor- 
mation in these databases can be commingled in a com- 
mon database in a manner well understood by those 
having skill in the data processing arts. For instance, 
each limited-use credit card number can be stored with 

^5 a field which identifies its master account, and various 
conditions regarding its use. 

[0049] The central processing unit 120 can internally 
perform the approval and denial of credit card transac- 
tion requests by making reference to credit history infor- 

20 mation and other information in the conventional mar>- 
ner. Alternatively, this function can be delegated to a 
separate clearance processing facility (not shown). 
[0050] Finally, the central processing station includes 
the capability of transmitting the limited-use credit card 

25 numbers to customers. In a first embodiment, a local 
card dispenser 128 can be employed to generate a plu- 
rality of limited-use cards 132 and/or a master credit 
card 134 for delivery to a customer. In a second embod- 
iment, the iimited-use credit card numbers can be print- 

30 ed on a form 1 36 by printer 1 30, which is then delivered 
to the customer via the mail. The printed form 136 may 
include material which covers the numbers until 
scratched off, thereby indicating what numbers have 
been used and are no longer active. This listing of num- 

35 bers can be included in a monthly or other periodic ac- 
count statement sent to the customer. In a third embod- 
iment, these limited-use numbers can be electronically 
downloaded to a user's personal computer 104, where 
they are stored in local memory 142 of the personal 

^0 computer 1 04 for subsequent use. In this case, the cred- 
it card numbers can be encrypted (described in detail 
later). Instead of the personal computer 104, the num- 
bers can be downloaded to a user's smart card though 
an appropriate interface. In a fourth embodiment, the 

^5 single-use credit card numbers can be downloaded to 
a radio unit 140 (such as a portable telephone) via wire- 
less communication. In a fifth embodiment, an ATM 108 
can be used to dispense the limited-use cards 110. 
Those skilled in the art will readily appreciate that other 

50 means for conveying the numbers/cards can be em- 
ployed. These embodiments are, of course, usable to- 
gether. 

[0051] The logic used to perform the actual allocation 
and deactivation of limited- use credit card numbers 
55 preferably comprises a microprocessor which imple- 
ments a stored program within the central processing 
unit 120. Any general or special purpose computer will 
suffice. In alternative embodiments, the logic used to 
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perform the allocation and deactivation of the limited- 
use credit card numbers may comprise discrete logic 
components, or some combination of discrete logic 
components and computer-implemented control. 
[0052] Fig. 2 shows a high-level depiction of the func- 
tions performed by the central processing station 102 or 
the like. The process begins in step 202 by allocating 
one or more limited-use numbers to a customer. These 
numbers are ultimately selected from the list 126 of 
available limited-use numbers, or some other sub-set 
list which has been previously formed from the numbers 
in list 126. Also, although not shown in Fig. 2, a master 
account number would have been preferably assigned 
to the customer at a previous point In time. The condi- 
tions database 122 may comprise a mechanism for as- 
sociating the master credit card number with the limited- 
use credit card number Because the limited-use cards 
are arbitrarily chosen from the listing 126 of limited-use 
card numbers, there should be no discernable link which 
would allow anyone to determine the master credit card 
number from any of the limited-use numbers. 
[0053] The processing then advances to step 204, 
where it is determined whether a customer requests or 
an event triggers a request for additional limited-use 
cards or card numbers. If so, additional limited-use 
cards or card numbers are allocated to the customer. 
[0054] Processing then advances to step 206, where 
the central processing station determines whether a 
transaction has taken place using a previously issued 
limited-use card. This step is followed by a determina- 
tion (in step 208) whether the limited-use number should 
be deactivated. For instance, if the card is a single-use 
card, it will be deactivated. If the card is a fixed-limit card, 
the card is only deactivated if the recent transaction ex- 
ceeds some stored threshold limit. These threshold lim- 
its can be stored on the card itself or in the conditions 
database 122. The actual step of deactivating is per- 
formed by generating a deactivation command, as rep- 
resented in step 210 shown in Fig. 2. Naturally, there 
are other steps to processing a credit card transaction, 
such as checking whether the card is deactivated or oth- 
erwise invalid prior to completing the transaction. These 
additional steps are system specific and are not dis- 
cussed here for sake of brevity. 
[0055] Once a number is deactivated, this number 
can not be fraudulently reused. Hence, the risk of fraud- 
ulent capture of these numbers over the Internet (or via 
other transmission means) effectively disappears. In an 
alternative embodiment of the invention, these deacti- 
vated numbers can be reactivated providing that a suf- 
ficiently long time since their first activation has tran- 
spired. Providing that there is a sufficiently large number 
of limited-use credit card numbers to choose from, it 
would be possible to wait a long time before it was nec- 
essary to repeat any numbers. At this point, it would be 
very unlikely that someone who had wrongfully inter- 
cepted a credit card number years ago would be moti- 
vated to fraudulently use it before the rightful owner 



[0056] After the limited-use card is deactivated or a 
number of limited-use cards are deactivated, an addi- 
tional limited-use card or cards can be activated. As de- 
scribed in detail in the following section, the actual acti- 

5 vation of the credit card number can involve various in- 
termediate processing steps. For instance, the credit 
card numbers from the list 126 can be first allocated to 
an "allocated* range of numbers, and then to an "issued 
but not valid" range of numbers, and then finally to an 

10 "issued and valid" range of numbers. Fig. 2 is a high- 
level depiction of the process, and encompasses this 
specific embodiment, as well as the more basic case 
where the credit card numbers are retrieved from a da- 
tabase and then immediately activated. 

'5 [0057] Having set forth a summary of how the inven- 
tion can be implemented, further details are provided in 
the following. 

2.2 Allocation of the credit card numbers 

20 

[0058] The first thing that the credit card provider 
should do is to generate a list of additional credit card 
numbers, whether they be single use or multiple use, 
and allocate additional credit numbers to a master credit 

25 card as a further credit card number for optional use in- 
stead of the master credit card number. Such a list can" 
be produced by any suitable software package in the 
exemplary manner discussed in more detail below. 
Since the numbers allocated to a particular master credit 

30 card holder will not have any link to the master credit 
card number, the master credit card number should not 
be able to be derived from the additional credit card 
numbers. 

[0059] In effect, randomness in credit card numbers 

35 is provided by the fact that there is a queue formed by 
the customers requiring numbers. Further, it should not 
be possible, even knowing the additional credit card 
numbers in a particular master credit card holder's pos- 
session which he or she may have used, to predict the 

40 next set of numbers that that particular master credit 
card holder wilt be allocated, since there will be random- 
ness of access to additional credit card numbers in the 
truest sense. Even if the credit card provider were to al- 
locate numbers sequentially, there would be no way of 

45 predicting the number that that credit card holder would 
subsequently acquire, since the numbers would be al- 
located by virtue of a queue, the randomness of this al- 
location being such as to prevent any prediction. 
[0060] As such, the credit card numbers generated by 

50 the central computer need not be per se random num- 
bers. Preferably, though, these numbers are valid credit 
card numbers with the constraint that they must conform 
to industry specifications of the format in terms of their 
numerical content in such a way that they can be han- 

55 died with no (or minimal) modifications by merchant/ac- 
quiring systems and networks and be routed to the ap- 
propriate center for processing. An additional constraint 
is that they must be different from all other conventional 
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account numbers and all other single use numbers dur- 
ing their lifetime of validity. These constraints are prac- 
tical requirements to produce a commercially viable sys- 
tem, which would likely not be satisfied by any process 
that generates random numbers in isolation. 
[0061] To achieve these allocation requirements, an 
issuing bank decides within its total available range of 
credit cards to allocate a certain range or ranges of num- 
bers to the single use system, referred to herein as the 
"available range." This may represent spare numbers 
using existing header sequences (e.g., the sequence of 
usually 4-6 digits that define the issuing institution and 
are used to route the card to the appropriate transaction 
processor) or within newly created header sequences. 
The numbers not allocated include existing credit card 
accounts for that issuer and sufficient spare capacity for 
new account holders and replacement numbers for ex- 
isting customers. The additional non-embossed compo- 
nents of the card details and any card specific informa- 
tion that is transmitted during a transaction may be var- 
ied from card to card to enhance security and privacy of 
credit card transactions. 

[0062] Although each limited-use number is unique 
during the its lifetime of validity, information required to 
route the card number and transaction details to the ap- 
propriate processor is maintained to ensure that limited- 
use numbers are processed appropriately. However, the 
limited-use numbers do not need to include either the 
master card account number or an encoded version of 
the account number. Indeed privacy and security are en- 
hanced when no unique account holder identifier is in- 
cluded within the limited-use credit card number. Also, 
information that is verified prior to the card being proc- 
essed for authorization and payment, such as expiry 
date and checksum digit must be valid. This information 
may vary from limited-use number to limited- use 
number, but must be valid to ensure that the number 
passes checks that may be completed within the mer- 
chant terminal, i.e., the checksum is appropriately cal- 
culated for each limited-use number and the associated 
expiry date is valid at the time of use. 
[0063] Within the constraint of using a valid credit card 
format, the random allocation process used to generate 
lists of unique limited-use numbers can involve alloca- 
tion from a range of numbers in which either the entire 
number or portions of the account number are varied. 
In addition, the allocation can include combinations of 
all or part of the account number together with all or part 
of additional information such as non-embossed addi- 
tional numbers, expiry dale and other information that 
identifies the card and is passed on by the merchant to 
the card processor during a transaction. 
[0064] Sequential random allocation from a list of 
available valid credit/debit/charge card codes that have 
been solely allocated for use as limited-use numbers en- 
sures that the criteria specified for limited-use numbers 
are met. i.e., no two limited-use numbers are the same, 
no limited-use number is the same as an existing ac- 



count number, and no newly issued conventional card 
number is the same as a previously issued limited-use 
number. To achieve true computational independence 
between account numbers and limited-use cards and 

5 between limited-use numbers for the same account, the 
random allocation process requires a truly random seed 
value. Such true randomness can be obtained from a 
physically random system with well defined properties 
such as a white noise generator An analog to digital 

10 converter that receives an analog signal from such a tru- 
ly random physical system can be used to ensure truly 
random allocation. 

[0065] Other approaches can result in the same result 
with lower computational efficiency. For example the al- 
^5 location process could randomly select valid credit card 
numbers within the entire range for a given card issuer 
and then discard the number if it is already in use as a 
limited-use or conventional card number or if the same 
number was allocated within a given time frame. 

20 [0066] The above process generates a series of avail- 
able single use numbers. To repeat, the allocation proc- 
ess is achieved by a truly random (or less ideally a pseu- 
do random) mapping process in which a single use 
number is randomly selected and then assigned to a se- 

25 lected account holder (either an existing credit/debit 
card holder, a new solely single use account holder or 
a bank account). Additional single use numbers can be 
allocated for purchase on an individual basis. Each as- 
signed single use number is then removed from the se- 

30 quence of available numbers before the next allocation, 
ensuring a unique allocation of each single use number. 
An alternative mechanism for performing direct alloca- 
tion to a specific account holder is for lists of single use 
numbers to be allocated to unique storage locations. 

35 The list from a specific storage location can then be di- 
rectly allocated to a given account at a later date. This 
allows for rapid allocation of cards to new customers 
without any delay arising from the need to perform a new 
allocation procedure for each new customer. 

40 [0067] This allocation process generates another se- 
ries of single use numbers, the "allocated range** with 
an associated identification field to determine how the 
account will be settled once used, i.e.. onto whose ac- 
count the transaction will be charged. The allocation 

''5 process can occur a significant time before the single 
use numbers are required. Once allocated, they are not 
added into the list of valid accounts until required by the 
user 

[0068] Fig. 3 is a flow chart illustrating an exemplary 
50 process for allocating credit card numbers. A central 
processing unit (CPU) generates a database of credit 
card numbers (step 302), and selects a master credit 
card number. (Step 304). In step 306. the CPU checks 
to make sure that the master credit card number is not 
55 the same as another credit card number. The CPU se- 
lects additional credit card numbers to allocate to the 
master credit card number. (Step 308). The CPU can 
use any of the techniques discussed above to select the 
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additional numbers. In step 310, the CPU checks to 
nr^ake sure that the additional numbers are not the same 
as another credit card number. The additional numbers 
can be used, for example, for single use cards. 
[0069] When a customer needs single use cards, the 
CPU can issue the additional credit card numbers to the 
customer. Unless these single use numbers are issued 
directly into the hands of the customer (e.g., by an au- 
tomated teller machine (ATM)), they are not directly add- 
ed to the list of valid account numbers held within the 
central computer system. These numbers are added to 
an "issued, but not valid" list of numbers. (Step 312). 
The number of single use numbers issued at one time 
depends upon the rate at which the customer will use 
the cards and the capability of the device used to store 
the single use numbers until used. The CPU can provide 
the customer with enough single use numbers to fulfill 
their single use purchase requirements for up to. for ex- 
ample, 2 years. Each single use number can be en- 
dowed with specific restrictions in terms of transaction 
type or value, provided that these properties do not ex- 
ceed the restrictions placed up on the customer's ac- 
count (such as the available credit balance). 
[0070] Once a series of single use numbers are is- 
sued, the user has the option of confirming receipt by 
telephone before any of the issued numbers become 
validated on the processing system. (Step 314). Once 
receipt has been confirmed (or assumed), not every is- 
sued single use number is added to the "issued and val- 
id" list. (Step 316). To prevent excessive valid single use 
numbers being held within the processing system, the 
number of single use numbers declared to be valid at 
any one time is limited to account for waste of numbers 
(i.e.. numbers that are accessed by a customer but are 
never used to complete a transaction) and to allow for 
lime delays between different transactions leading to 
differences in the sequence in which single use num- 
bers are accessed by the customer and the sequence 
in which they arrive at the processing center. The max- 
imum number of single use numbers valid at any one 
time can be determined by the card issuer but would be 
preferably in the range of 5-10. In the case of any at- 
tempted use outside the allocated range, the next single 
use number can used as an additional identifier to vali- 
date the transaction. In this case, only a subset of the 
digits should be given by the user to prevent a fraudulent 
trader being able to gain access to multiple unused sin- 
gle use numbers. As soon as a single use number is 
invalidated (step 320) on use (step 318). an additional 
number from the"issued not valid" list for that customer 
is allocated to the "issued and valid" list, ensuring a con- 
tinual supply of single use numbers up to the maximum 
allowed until the next set of single use numbers are is- 
sued, (Step 322). 

1007 1 ] In relation to the actual supply of the additional 
credit card numbers, this will not cause any difficulties 
to the credit card provider. For example, with a standard 
master credit card number, there are up to fifteer^ or 



more digits, the first of which is used to identify the credit 
card provider, e.g., American Express®, VISA®, Mas- 
tercard®, etc. For major banks, three digits are used to 
identify the issuing bank. The last digit in a typical six- 
5 teen digit master credit card number is a checksum used 
to confirm that the number is a valid number. This leaves 
a total of up to 11 digits or more for the account identi- 
fying number and the expiration date. In some instanc- 
es, the expiration date may not be sent back for clear- 
ance, while with certain credit card providers, additional 
credit card numbers or even additional information is re- 
quired for clearance. For example, certain credit card 
providers print additional numbers on the card, which 
additional numbers are not embossed on the card and 
do not form part of the master credit card number. These 
additional printed and non-embossed credit card num- 
bers can be used to identify that the person proffering 
the card for a non-card present transaction is actually in 
possession of the card when the order is made whether 
20 it be in writing or by phone. There are many devices, 
digits, pieces of information, etc. used by a credit card 
issuer or processor working for a credit card issuer to 
clear the credit card for the specific transaction. Accord- 
ing to another embodiment, when issuing additional 
25 credit card numbers in accordance with the present in- 
vention, such additional credit car^ numbers could in- 
clude a code which would identify that the person using 
the additional credit card number in a remote transaction 
is the one to whom the numbers were sent or. in the 
30 case of a disposable aedit card, is the one to whom the 
disposable credit card was sent. 
{0072J A preferred feature of these additional credit 
card numbers is that they be constrained to be in the 
correct formal for a credit card number with a valid check 
35 sum, while at the same time be mathematically unrelat- 
ed to each other or to the mas-ter credit card. In certain 
situations, for single use numbers, the expiration date 
is virtually irrelevant. Thus, using the month code of the 
expiration date with said eleven digits, there are 12 x 
10^^ i.e.. 1.2 X 10^2^ i.e., 1.200 billion possible unique 
codes available for any given credit card provider. This 
would allow for 50 transactions a month for 10 years for 
200 million account holders, before any codes would 
have to be recycled or a new header code introduced. 
45 When it is understood that there are then another 10^ 
header numbers that a credit card provider can use. it 
will be appreciated that the structure and arrangement 
of existing master credit card numbers is sufficient to 
operate this invention with the advantage that the exisl- 
5f? ing infrastructure of dealing with credit card transactions 
can be used with minimum modification. All that is re- 
quired for the credit card provider is to store the gener- 
ated numbers against the master credit card number. 
10073] If. for example, the card is a VISA® card, there 
55 are approximately 21,000 issuing banks. The sixteen 
digit number has a "4" followed by a five digit code to 
identify the card issuer. The last number is a checksum 
to verify that it is a valid number. As a result, there are 
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21.000 X 109 X 12 (252 trillion) unique numbers and as- 
sociated expiry months. This number of codes is suffi- 
cient for 36,000 years of transaction processing at the 
current annual rate of approximately 7 billion transac- 
tions per year. 

[0074J While existing credit card formats allow for a 
sufficiently large number of available card numbers, 
numbers will eventually need to be recycled for alloca- 
tion. As the range of available numbers reduces in size 
over time» additional or recycled numbers should be 
added back into this range to ensure that the allocation 
process is performed from a range sufficiently large to 
maintain random allocation. The length of time prior to 
recycling depends on the total number of available 
unique card codes available to an issuer and the number 
of transactions that use limited-use numbers. Such re- 
cycling can only occur after a number has been invali- 
dated for further use and is no longer valid for refunds. 
Once recycled, automatic fraud detection mechanisms 
that would normally be activated on the attempted reuse 
of a previously inactivated card need to be altered by 
removing the recycled number from the list of previously 
issued limited-use numbers. 

2.3 Limitations on the use of the credit card numbers 

[0075J The use triggered condition subsequent limita- 
tions placed on limited-use card numbers, i.e. transac- 
tion value limitations, number of transactions limits, etc., 
are central to their additional flexibility and security com- 
pared to conventional credit/debit/charge cards. These 
limitations can be imposed and controlled in a variety of 
ways. For example, the limitations can be stored within 
a database held by the card issuer and used to check 
that the transaction falls within these limitations during 
the authorization process. 

[0076} Fig. 4 is a flow chart illustrating an exemplary 
process for limiting the use of a credit card number. A 
CPU can allocate a credit card number to a master credit 
card number (step 402), and allocate a condition to the 
credit card number. (Step 404). The CPU can then store 
the condition in a database of conditions. (Step 406). 
These limitations can be assigned by the issuer in a pre- 
determined manner or can be imposed according to the 
requests of the card holder. These limitations are en- 
coded with the limited-use numbers when the numbers 
are issued to a user so that the user can determine the 
limitations associated with a particular card. These lim- 
itations can be altered once a number is issued by up- 
dating the issuer database and the user maintained list 
of numbers. Communication between the user and card 
issuer to make these changes can be posted, conveyed 
verbally or electronically (Step 408). When the card is 
used for a transaction (step 410), the transaction details 
are compared by the processing software with the limi- 
tations and the transaction is authorized only if the trans- 
action falls within these limitations. (Step 412). 
[0077] Alternatively the limitations can be encoded 



within part of the number format that is transmitted dur- 
ing a transaction. The limitations would then be decoded 
from the transmitted transaction details by the card proc- 
essor. This would offer the user more control, but would 
5 offer less security since knowledge of the encoding for- 
mat could be used to fraudulently alter the limitations 
chosen by altering the appropriate portion of the limited- 
use number format. 

[0078] As internet commerce develops, there will be 
10 an increased need for a wide range of financial transac- 
tions. The limitations placed on limited-use card num- 
bers can be used to implement a wide range of payment 
options. For example, a credit card number can l>e lim- 
ited to a single transaction for a pre-arranged transac- 
ts tion limit. 

Or alternatively, a credit card number can be used, for 
example, to implement an installment plan where the 
credit card number is. for example, only valid for twelve 
payments for a pre-arranged transaction limit for twelve 

20 months to a single merchant. This plan provides security 
against fraud because it is locked to a single merchant, 
and it is only good for one year Or similarly, a credit card 
number can be used to implement a debit plan where 
the credit card number is limited to a specific merchant. 

25 When the limited-use number is limited to a specific mer- 
chant, the merchant can be prearranged by the user or 
can be determined by first use. Or finally, a credit card 
number can be used as a gift voucher where the credit 
card number is limited to a specific transaction value, 

30 but it can be used for any merchant. 

2.4 Distribution of the credit card numbers 

[0079] The next matter that is considered is how these 

35 additional credit card numbers and/or additional credit 
cards are distributed to a credit card holder. One way of 
providing such additional credit card numbers and/or 
additional credit cards is to in some way provide them 
physically to the master credit card holder, whether it be 

40 by collection, delivery by courier, post orsome other way 
which can generally be covered under the heading of 
provision by post. Obviously, the financial institutions 
wish to provide the additional credit card numbers or the 
additional credit cards to the user as efficiently as pos- 

45 sible with the minimum risk of the additional credit card 
numbers and/or cards falling into a third party^s hand. 
While one can never prevent theft, for example, of a 
credit card from a user, what is important is to ensure 
that these disposable credit cards and/or credit card 

50 numbers are delivered to the user with the least possi- 
bility of a third party obtaining either the numbers or the 
disposable credit cards from the time they are generated 
until the time they are physically received by the user. 
[0080] It is envisaged that there are various methods 

55 by which a credit card provider could issue the additional 
credit card numbers and/or credit cards to the user One 
of the simplest ways would be to post them on request. 
Another way would be for the credit card provider after 
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receiving a payment of an account or with a statement 
of an account, to provide a sufficient number of addition- 
al credit card numbers and/or additional credit cards to 
replace the ones used since the previous statement. 
Particularly, if such statements do not quote the master 5 
credit card number or some code number, it would be 
possible to put in additional checks on the activation of 
the additional credit card numbers or credit cards. Some 
form of receipt system could be used. In this way effec- 
tive theft would be reduced. io 
[0081] Fig. 5 is a flowchart illustrating an exemplary 
process for distributing credit card numbers. A credit 
card issuer allocates a master credit card number to a 
master credit card owner. (Step 502). The credit card 
issuer then allocates limited-use numbers to the master 15 
credit card number. (Step 504). For pre-prepared cards, 
the card issuer can decide whether to print (or incorpo- 
rate by some other means such as embossing) one 
number per card or multiple numbers per card. (Step 
506). The card issuer can distribute multiple numbers 20 
using a single card (step 508) or distribute multiple num- 
bers using multiple cards. (Step 512). 
[0082] In either case, it is important that the user can 
keep track of which numbers have been used. If the card 
has only one number, an opaque removable cover can ?5 
be used to cover one or more portions of the carcl (Step 
510), For example, the opaque removable cover can 
cover the number portion of the card, so that the cover 
has to be removed before the card can be used. The act 
of removing the cover indicates that the card number 30 
has been accessed or used. 

[0083] Or alternatively, an opaque removable cover 
can conceal a message such as "used." The opaque 
removabfie cover can be a scratch off layer that is 
scratched off before or after the card is used. The 35 
scratch off layer can resemble the layer that is often 
used to cover lottery numbers or the like. Or alternative- 
ly, the single use cards can be placed in a self-contained 
container that resembles a razor blade dispenser (Step 
516). The owner can remove a single use card from a ^0 
first compartment and then place the used card into a 
second compartment. 

[0084] If the card has multiple numbers, the owner 
can keep track of the numbers by using a device that 
covers one or more portions of the card. (Step 510). The ^5 
device can cover the numbers until they are used. As 
described above, the device can comprise multiple 
opaque layers that must be removed prior to the use of 
each number. Or alternatively, each number could be 
visible when the card is issued and each number is as- so 
sociated with a panel in which an opaque covering con- 
ceals a message that indicates that the number has 
been used. After each use, the corresponding covering 
is removed or scratched off to indicate that the number 
has been used. 55 
[0085] In both above cases the solutions incorporated 
on the cards act to remind the user which numbers have 
been used. The critical check on the validity of the 



number is performed by the processing software re- 
sponsible for authorizing card transactions. 
[0086] The additional credit card numbers and/or 
cards can be sent with a statement. (Step 518). The ad- 
ditional credit card numbers are not activated until the 
statement is paid. (Step 520). The card issuer could also 
require that the payment be accompanied by the master 
credit card number or another identifier. Or, for example, 
an additional security step involving either direct contact 
with the issuing credit card company or an independent- 
ly issued password to allow activation of an electronic 
device could be used. 

[0087] A further way in which the additional credit card 
numbers and/or additional credit cards could be distrib- 
uted to the user is by way of an ATM machine. (Step 
522). The ATM machine with very little modification 
could provide the additional credit card numbers. Simi- 
larly, with relatively little modification, an ATM machine 
could provide additional credit cards. 
[0088] Cards/single use numbers can be issued di- 
rectly into an electronic device that is capable of storing 
such numbers. This applies to mobile phones and pager 
devices to which information can be transmitted using 
existing systems and computers connected either di- 
rectly or via a telecommunications system to the Internet 
or a specific host computer system. In such a situation 
a mechanism is required to protect these numbers in 
transit to prevent unauthorized access. For global appli- 
cations, this mechanism must not be subject to export 
restrictions. In addition, this protection should not be 
susceptible to "brute force" decryption techniques. Such 
a system is described below in relation to the storage of 
single use cards. 

[0089] An alternative method to provide additional 
credit card numbers could be by way of a computer pro- 
grams. Obviously it would be necessary for the credit 
card provider to have sufficient security that when the 
computer program was dispatched, either through the 
telecommunications network or through the post, that 
unauthorized access could not be obtained. 

2.5 Electronic use of the credit card numbers 

[0090] In the situation where the user stores and ac- 
cesses limited- use numbers via an electronic device 
such a computer of any form (desktop, television or ca- 
ble linked Internet access device, laptop, palmtop, per- 
sonal organizer etc), any device that can deliver the 
same functions as a computer or dedicated Internet ac- 
cess device, a dedicated microprocessor device with 
key pad and screen or any form of telephone with asso- 
ciated microprocessor controlled electronics, the asso- 
ciated software can perform some or all of the following 
functions: 

1) Password controlled access to software or other 
security activation system that can verify that the 
user has a valid right of access. 
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2) Secure storage of issued limited-use credit/debit/ 
charge card numbers until required by the user. 
These numbers can be stored in a variety of en- 
crypted forms. An additional security step is to en- 
crypt the number in the form a valid credit card 5 
number as previously described. 

3) Secure storage of transaction details and date of 
use for reconciliation with records held by the credit/ 
debit/charge card company in case of disagree- 
ment. This may include digitally signing each trans- 
action record. 

4) Facility for user to review past usage of limited- 
use card numbers and transactions. ^5 

5) Notification to user of available number of limited- 
use cards. 

6) Initiate automated request from software to card 20 
issuing organization or agreed agent for further 
cards to be issued by previously agreed route if re- 
quested by user or if the number of available limited- 
use cards is less than a pre-arrange limit. 

25 

7) Secure communication between software pack- 
age and card issuing organization or agreed agent 
for downloading additional limited-use numbers. 
This secure communication can exploit any availa- 
ble form of encryption suitable for this purpose. 30 

8) Secure communication between card issuing or- 
ganization or agreed agent and the software pack- 
age for the transmission of information regarding 
credit card transactions, account balances and oth- 35 
er information as requested by the user or card is- 
suer. This secure communication can exploit any 
available form of encryption suitable for this pur- 
pose. 

40 

9) Automated or manual means for transfer of credit 
card information to the merchant. The software can 
integrate with Internet software in the situation 
where it is run on a device linked to the Internet or 
similar electronic network and allow automatic 45 
transmission of transaction details if the merchant 
software so allows. To ensure compatibility with any 
form of merchant software the user also has the op- 
tion of dragging and dropping a limited-use number 
displayed by the software onto the appropriate part 50 
of a web page, or manually entering the number. In 

the case a device intended for use over the tele- 
phone, the number can either be spoken by the user 
or appropriate tones can be generated to automat- 
ically transmit the number to the merchant. 55 

10) Use of digital signature verification to verify both 
parties of a credit card transaction (i.e. merchant 



and cardholder). 

1 1 ) Use of digital signature verification to verify both 
parties of a communication involving the transmis- 
sion of financial information or additional limited- 
use card numbers (i.e. card issuer and cardholder). 

12) Use of stored lists of limited-use numbers held 
by user and card issuer as dynamic passwords to 
verify both parties (user and card issuer) of a com- 
munication involving transmission of financial infor- 
mation or additional limited card numbers. 

[0091] For "card not present" transactions, it is pro- 
posed that the customer uses an electronic device to 
store issued single use numbers. This may represent a 
range of devices from a mobile telephone, pager, dedi- 
cated single use storage device or a software package 
that can run on range of platforms such as a conven- 
tional desktop compute^ television based Internet ac- 
cess device (e.g., WebTV) or a portable computing de- 
vice. 

[0092] The software that is used within these devices 
for storing and accessing these numbers wilt have spe- 
cific features that are common to all platforms/devices. 
[0093J For security reasons, access to the software 
will be password protected or protected by another se- 
curity system that allows identification of the user. Mul- 
tiple passwords may be employed to provide limited ac- 
cess to certain individuals, for example limiting access 
for a family member to single use numbers with specific 
pre-allocated limits on application or maximum transac- 
tion value. 

[0094] The single use numbers are preferably stored 
in a secure form involving one or more encryption sys- 
tems. It is proposed that a dual system will be employed 
using a standard protocol (e.g, DES or RSA encryption) 
and a specific system designed for credit cards as de- 
scribed below. 

[0095] "Brute force" decryption involves using multi- 
ple fast computers and specific algorithms to test large 
numbers of possible encryption "keys." Success can be 
determined by seeing whether the result appears in the 
expected format, for example as comprehensible Eng- 
lish text in the case of an encrypted document. If the 
encrypted version is in an identical fonmat to the unen- 
crypted version (though with different information) then 
brute force decryption cannot succeed. This is not a 
computationally viable option for text but it is possible 
for credit cards. 

[0096] The approach is to break down each compo- 
nent of a credit card number and encrypt these with a 
private password so as to maintain the numerical com- 
position of each component. The end result should be 
securely encrypted but should not represent another ex- 
isting credit card account. This can be achieved by con- 
straining the encryption system to convert the credit 
card header sequence used to identify the issuing bank 



13 



25 



EP1 115 095 A2 



26 



(usually 4-6 digits) into a currently unused sequence. 
Since this information will be constant for all cards from 
the same issuer, this information should be randomized 
(rather than encrypted) to prevent recognition of a valid 
decryption solution. Once the rest of the number is de- 
crypted by the program, the appropriate header se- 
quence can be added. The remaining digits excluding 
the checksum (the last digit) are then encrypted using 
any private key encryption system that will maintain the 
same number of digits and produce a result that repre- 
sents the numerals 0 to 9. The expiration date and any 
other identifying digits are also encrypted in such a man- 
ner as to respect their existing structure, i.e., the month 
is encrypted between 1 and 1 2 and the year is encrypted 
so as to represent a number within the next three years 
that ensures that the expiration date is valid. Following 
these steps, the digits used to calculate the checksum 
in a normal card number are processed to calculate a 
valid checksum for the encrypted card. The result is a 
valid appearing credit card number that has a valid 
checksum and which can be guaranteed not to belong 
to any existing credit/debit card account holder 
|0097J For example, for a card with a 6 digit header 
and valid checksum, e.g.. "1234 5678 9012 3452 expi- 
ration date of 12/99," 123456 is randomly assigned to a 
- ^currently unused header sequence, e.g., 090234 (this 
is an example and does not necessarily represent an 
unused header sequence). 7890 1 2345 is encrypted into 
another 9 digit number, e.g., 209476391. 12/99 is en- 
crypted to a valid date format that ensures the card is 
not expired, e.g., 3/00. The checksum is recalculated to 
produce a valid appearing credit card number, for this 
example the checksum is 4, i.e., 0902 3420 9476 3914 
expiry 3/00. 

[0098] To decrypt this number for use or after trans- 
mission from the bank, the appropriate header se- 
quence for the issuer is exchanged for the digits in the 
encrypted number. The other digits are decrypted using 
the private password and the checksum is recalculated. 
[0099J Provided that the header number is unused 
and the private password remains private, then this 
number is encrypted in such a way that brute force en- 
cryption cannot be used to determine the original 
number, since it will not be possible to determine when 
the correct solution has been reached. In combination 
with standard encryption systems, this allows a means 
to securely store credit cards and transmit them over 
insecure systems with confidence. 
[0100] Once the appropriate password is entered into 
the software, the next available single use number is de- 
crypted and either displayed, allowing the customer to 
use it in any form of trade that can achieved by quoting 
credit card information, or directly transmitted via the 
software to the merchant. Once used, the single use 
number is removed from the stored list. The dale of ac- 
cess, the number accessed and any additional available 
transaction details are then stored in a secure fashion 
and digitally signed to allow for verification in the case 



of a disputed transaction. Each access to a single use 
number requires the entry of a password to prevent un- 
authorized access if the customer leaves his software/ 
computer device unattended and active. 

5 [0101] Fig. 6 is a flow chart illustrating an exemplary 
process for electronically using credit card numbers. 
The software can be launched either on its own or acti- 
vated by an icon integrated into an Internet browser. 
(Step 602). The software can provide a simple interface 

10 with a graphical appearance that exploits familiar imag- 
es of credit cards and/or ATM's. The software can be 
programmed using Java code or a Java core embedded 
in a c/c** application or equivalent programming lan- 
guage. 

15 10102] Once launched the user puts in one password 
to gain access to the main screen which contains a key 
pad to allow a PIN to be inputted either by keyboard or 
by mouse clicks. (Step 604). The latter protects against 
any covert attempts to record passwords by trapping 

20 key strokes. A consecutive number of errors in inputting 
the password will permanently disable the program and 
overwrite remaining encrypted numbers. After the cor- 
rect PIN is entered, the user can select a new limited- 
use number with or without additional constraints (e.g. 

25 maximal transaction value). 

(Step 606). A new limiled-use number is then displayed 
on the graphical interface. The software can provide se- 
cure access to encrypted credit card numbers that are 
stored on a computer's hard disk. (Step 608). These 

30 numbers can be accessed for use on the Internet or for 
use over the phone/mail order. (Step 610). The numbers 
must therefore be able to be inserted directly into a web 
page (step 612), or printed out/copied from screen for 
use in other ways. (Step 614). The limited-use number 

35 can be copied, printed, pasted via the clipboard (or 
equivalent) or dragged-and-dropped on to a web page. 
The length of time a number is displayed and how the 
program terminates are user configurable. The user can 
also record a comment to provide further information 

40 about how a number was to be applied. 

For automated transactions, the software should ideally 
be able to intercept and respond to merchant server in- 
itiated signals activating integrated functions within the 
browser. 

45 [0103] Once a number has been accessed, it can be 
deleted from the encrypted lists. (Step 616). The date, 
number, current URL in the case of Web use and any 
user comments are then stored by a separate form of 
encryption to facilitate audit/review. (Step 618). The us- 

50 er can review, but not edit this information 

[01 04] There should be a facility for downloading ad- 
ditional numbers either from additional floppies or via 
the Internet using high security protocols. (Step 620). 
The latter function can be performed by a separate pro- 

55 gram. 

[01 05] The program should include a maximal degree 
of transparent security features, i.e., features that do not 
affect a normal user, but that protect against the pro- 
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gram being reinstalled or copied onto a second ma- 
chine. This means that the encrypted limited-use num- 
bers should either be stored within the executable file 
or stored in a file that also stores encrypted copies of 
the machine specific information. (Step 622). This is re- 
quired to ensure that the numbers can only be accessed 
on the machine on which the software was first installed. 
The data files should also be stored as hidden system 
files. 

[0106] Some users may wish to have the equivalent 
of an electronic wallet that can be de-installed from one 
computer and reinserted on another, for example, when 
transferring a "wallet" from an office to a home machine. 
This transfer process ensures that only one version of 
the program is running at any one tie and that no prob- 
lems arise in terms of reconciling lists of used numbers. 
Appropriate security mechanisms can be implemented 
to identify the valid user. 

[01 07 J Encryption of limited-use numbers should in- 
volve two levels. At the first level, the card numbers are 
encrypted using an algorithm that acts only to alter the 
free digits within the credit card. The header sequence 
(i.e. bin number) is left unaltered or converted into an 
unused bin number and the checksum recalculated. 
This prevents any form of brute decryption because 
there will be no way of telling when the correct algorithm 
has been selected since each number starts and ends 
up as a valid looking credit card number. Following this 
step each number is encrypted with industry standard 
encryption methods (e.g. RSA or DES). Following de- 
cryption within the program the checksum is recalculat- 
ed for the final number and the appropriate bin number 
reinserted. 

[0108) The software can be shipped on a single 1.4 
Mb Floppy (or any other computer readable or usable 
medium) in an encrypted form or downloaded from a 
website. 

Limited-use numbers can be issued either with the pro- 
gram or independently. An independently shipped pass- 
word can be required for installation. The installation 
process will allow the program to be installed a restricted 
number of limes after which critical data is overwritten. 
The precise number of allowable installations will be 
easily alterable within the software design. Once in- 
stalled on the host computer, the program encrypts in- 
ternal information regarding the machine's configuration 
to protect against copying of the program onto other ma- 
chines. At first installation the user can select his own 
passwords. These will be used to control both access 
to the programs and to influence the pattern of one level 
of encryption that is applied to limited-use numbers. 
[0109] As numbers are accessed, a graphical indica- 
tor of the remaining amount of limited-use numbers pro- 
vides early warning if additional numbers are required. 
The software can also provide a log of previously ac- 
cessed numbers, the date, associated URL if activated 
from within a browser and comment; a summary of ac- 
count expenditure; assistance with adding additional 



numbers from disk or via Internet; the ability to configure 
additional passwords/users for shared cards; and/or hot 
link Internet access to the card number issuer's website. 

5 2.6 Processing of card transaction 

[01 1 0J It is envisioned that additional credit card num- 
bers and/or additional credit cards would be processed 
by merchants in the same manner as existing credit card 

10 numbers and/or credit cards with the merchant obtain- 
ing validation of the credit card number from the credit 
card company or authorized third party. In much the 
same way as at present, the additional credit card 
number would be matched to the customer account and 

'5 the account would be debited accordingly. The mer- 
chant reimbursement following verification of an addi- 
tional credit card transaction would be performed in the 
normal manner. A particular advantage for the merchant 
is that since they are never in possession of the master 

20 credit card number or indeed, in many instances, of the 
master credit card, they have no responsibility for secu- 
rity to the master credit card holder. It is envisaged that 
where there are additional credit cards used, it may not 
be preferable to take an imprint of the credit card man- 

25 ually, as the imprint can be taken electronically Similar- 
ly, those processing the credit cards will process them 
in the same manner described heretofore. 
[0111] Processing systems for handling limited-use 
cards perform a number of functions including some or 

30 all of the following: 

1) Verify that the limited-use number is valid. 

2) Verify that the transaction falls within limitations 
35 placed on the specific number. 

3) In the case of a limited-use number associated 
with another account, verify that transaction falls 
within limits acceptable for the associated account. 

40 

4) Provide authorization to the merchant if valid and 
within the limitations for specified number and as- 
sociated account. 

45 5) Permit later transactions to be charged to a lim- 
ited-use number that has been invalidated for fur- 
ther authorizations only if the transaction is gener- 
ated by the same merchant that obtained pre-au- 
thorization for the same transaction. 

50 

6) Deny authorization if invalid or exceeding limita- 
tions on number or associated account. 

7) Activate fraud detection mechanisms if invalid 
55 number or on attempt to reuse an invalidated limit- 
ed-use number. 

8) Invalidate limited-use number for further author- 
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izations/payments if limitations on use are met or 
exceeded by a specific transaction. 

9) Maintain list of invalidated numbers for reim- 
bursement in the case of returned or faulty goods 
for a defined period. 

10) Limited-use numbers and transaction details 
logged and linked to associated account. 

11) Transmit records of limited-use and other card 
transactions to the user by post or e-mail. 

12) Instigate payment to merchant for approved 
transactions. 

13) Instigate reimbursement to account holder in 
case of a refund. 

14) Invoice account holder for payment for charges 
incurred or arrange settlement via another account. 

[0112] Many of the procedures associated with limit- 
ed-use cards represent functions already performed by 
the clearing systems. These existing functions include: 
adding new credit/debit card numbers to the processing 
databases; allowing these card numbers to be activated 
following a confirmatory call to the issuer by the custom- 
er; conferring a credit limit on a credit card number; and 
invalidating a credit card number from further use and 
marking any further use as fraudulent. This overlap rep- 
resents part of the commercial value of the single use 
invention, minimizing the required changes. 
[01 1 3] Once a limited-use number enters the clearing 
system it can be handled in a normal fashion, e.g., by 
ensuring that it has not been reported as being stolen 
and that it represents a valid account number within the 
database. If the transaction is within the credit limit of 
the customer and the transaction limit or restricted use 
limitations of the limited-use number, it is authorized. 
[01 1 4] Several specific modifications should be made 
to the processing software to implement the features of 
single use cards. For instance, valid limited-use num- 
bers are stored in a database of valid account numbers 
along with other information specific to single use num- 
bers. This includes sufficient information to identify the 
customer to whom it was issued and any additional lim- 
itations placed upon the card in terms of transaction val- 
ue or category of merchant for which the card can be 
used. 

[01 1 5J Once authorized, the limited-use number is in- 
validated so as to ensure that further authorization/ 
charges cannot be made on that number. To allow for 
authorization preceding request for settlement by a sub- 
stantial delay, for example in the context of a mail order 
purchase where a credit/debit card number may be au- 
thorized at the time of order and charged only when the 
product ships, delayed settlement to the same merchant 



must be allowed. 

[01 1 6] Once the number of transactions permitted for 
a limited-use card is reached, the central card process- 
ing software invalidates the card. Due to the time delay 

5 that can occur between authorization and a merchant 
request for settlement, improved security is achieved by 
linking the invalidation process to authorization. Linking 
invalidation to settlement facilitates pre-authorizations 
at the cost of increased risk of, for example, multiple use 

^0 of a card number intended for limited-use. Pre-authori- 
zations can be used with authorization dependent inval- 
idation as described above. In the case where a trans- 
action is not authorized before being accepted by a mer- 
chant, the invalidation process will occur when the trans- 

15 action details are transmitted to the processor for set- 
tlemenL When no authorization is obtained for a limited- 
use number the system will therefore still operate nor- 
mally with an increased level of risk for the issuer/mer- 
chant as is the case with an unauthorized conventional 

20 card transaction. 

[0117] Whenever the credit limit or validity of a cus- 
tomer's account changes, all currently valid limited-use 
numbers are identified and their associated credit limit 
is altered to the lower of either their allocated transaction 

25 or the existing credit limit. If the customer account is 
closed or declared delinquent, all valid single use num- 
bers are handled in the same manner. 
[0118] Whenever a limited-use number is used, the 
next available single use number previously allocated 

30 to the same customer and issued to the customer is add- 
ed to the database of valid account numbers. 
[01 1 9] When a transaction is charged to a limited-use 
number, the transaction details and customer account 
details are stored together for audit purposes and the 

35 value of the transaction is added to the customer's ac- 
count for billing. 

[0120] The software for storing transaction details and 
printing statements can be modified to allow for both the 
customer's conventional account details and the limited- 

^0 use number transaction details to be reported. 

[0121] Processing of limited-use numbers can be in- 
tegrated into existing systems in a variety of ways. The 
authorization and settlement process can be completed 
in a single cycle or split into a separate authorization 

45 and settlement processes as is commonly done in ex- 
isting credit card systems. 

[0122] In the case of an entirety new» stand-alone, lim- 
ited-use credit/debit/charge card processing system, 
the above functions can be implemented without restric- 

50 tion in any suitable computer capable of incorporating 
the required database and communication functions. 
Such a system should be able to provide an authoriza- 
tion for a transaction within the same lime scale as an 
existing credit/debil/charge card transaction. 

55 [0123] In the case where the above functions have to 
be integrated into existing systems several approaches 
can be taken to minimize the required changes. It is pos- 
sible to add steps to the processing chain that is encoun- 
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tered as soon as a credtt/de bit/charge card number is 
received from a merchant. 

[0124] Fig. 7 is a flow chart illustrating an exemplary 
process for processing a transaction. In step 702, a soft- 
ware system receives transaction details from a mer- 5 
chant. The software system determines whether the 
number is a limited-use number or a conventional card 
number (Step 704). If the number is a conventional card 
number, it is passed on unchanged into the processing 
system and can be handled by existing systems with no io 
modification. (Step 706). The merchant receives author- 
ization from the system responsible for authorizing con- 
ventional card numbers. Merchant reimbursement is 
similarly unaffected. (Step 708). 

[0125] The system can check the limited-use number ^5 
and the corresponding limitations. (Step 710). If the 
number is not valid for the designated transaction, the 
transaction is denied. (Step 712). Otherwise, a data- 
base look-up procedure determines the associated 
master account number and transmits this number (i.e. 
the master account number) back into the processing 
system. (Step 714), This allows all existing fraud detec- 
tion, authorization and demographic software proce- 
dures to be completed with no alteration. (Step 716). 
Once the master account number is substituted for the 25 
limjted-use number a number of additional steps are re- 
quired. (Step 718). If the criteria for invalidating the lim- 
ited-use number have been met during this transaction, 
then the limited-use number is invalidated for all future 
transactions except refunds. An additional limited-use 30 
number can be automatically issued if a continual supply 
of single use numbers is required. The transaction de- 
tails and master account number are then transmitted 
for inclusion within a database to allow for tracking of 
transaction details and billing of the user. These func- 35 
tions do not need to be performed before an authoriza- 
tion is issued but can completed afterwards. (Step 720). 
[0126] With the above system, the software respon- 
sible for substituting the master account number for the 
limited-use number can also process additional features 40 
unique to limited-use numbers. These features include 
transaction value limitations, merchant type restrictions 
and geographical limitations. If the transaction exceeds 
the limitations placed on the limited-use card then au- 
thorization is denied and the master credit card need not 45 
be passed on for further processing. In the case of a 
transaction falling within the limitations of a limited-use 
card, then the transaction details are passed on with the 
master account number for conventional validation. In 
this way the restrictions in place for the master account 50 
(e.g., available balance, expiry date) are checked for 
each limited-use transaction. 

[0127] Specific fraud detection mechanisms can also 
be incorporated into the software. For example, on the 
first occasion that an invalidated limited-use number is 55 
used this transaction can be flagged as potentially fraud- 
ulent and appropriate measures taken. Repealed at- 
tempts to authorize invalid numbers from a single mer- 



chant or group of merchants also potentially points to 
fraud and can lead to activation of appropriate fraud 
management measures. 

[0128] The above system requires the least modifica- 
tion of existing systems but may take up to twice the 
processing time of a conventional transaction due to the 
double authorization process, once within the limited- 
use verification and translation step and once within the 
standard systems. It may be advantageous to initially 
process the limited-use card as a master credit card by 
using a single list of limited-use numbers and master 
credit card numbers. 

[0129] Fig. 8 is a flow chart illustrating another exem- 
plary process for processing a transaction. In step 802. 
a software system receives transaction details from a 
merchant. The software system has access to a data- 
base that contains additional information to identify the 
associated account or means of settlement and specific 
limitations relating to the use of limited-use cards. As a 
result, limited-use numbers can be associated with ex- 
isting accounts in the manner currently used to associ- 
ate multiple conventional accounts in the case of multi- 
ple cards issued to a single company for corporate use. 
(Step 804). During an authorization the associated ac- 
count number need not be identified provided each lim- 
ited-use account is updated whenever the status of the 
associated account changes (e.g. available balance, 
account validity etc.). The system can deny authoriza- 
tion (step 806) or authorize a transaction (step 808) with- 
out identifying the associated account number. 
[01 30] For settlement and billing purposes (step 81 2), 
the associated account needs to be identified (step 
810), but this does not need to be done during the 
course of an authorization. The existing software should 
be modified or linked to a new program that performs 
duties specific for limited-use card numbers as de- 
scribed above. (Steps 814, 816, and 818). These func- 
tions do not need to be performed before an authoriza- 
tion is issued. These functions can be completed after- 
wards. 

[0131] This system requires more modification of the 
existing processing software systems, but offers author- 
ization times within the same timescale as existing 
transactions since only one authorization steps is in- 
volved. Other activities such as updating the limitations 
on the limited-use card when the master account chang- 
es can be performed outside the authorization process 
(i.e. "off-line"). 

[01 32] The invention is not limited to the embodiments 
hereinbefore described but may be varied in both con- 
struction and detail. For instance, the invention has 
been heretofore described mainly in the context of a sys- 
tem in which a customer receiving a single use card al- 
ready has a main account with the credit card provider. 
But this need not be so. For example, it is envisaged 
that an ATM machine (or similar apparatus) could be 
used by people who did not have a credit card account 
to purchase disposable credit cards, which disposable 
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credit cards could then be used for either card present 
or remote transactions. When the card had been used, 
the card would be simply reinserted into the ATM ma- 
chine, and after a suitable period of time the purchaser's 
account would be credited with any money not spent. 5 
Similarly, if the person who purchases the disposable 
credit card does not have an account of any sort with 
the credit card provider, the credit card could still be pur- 
chased from the ATM machine and then any refund 
could take place a sufficient time after the transaction io 
would have been cleared, which refund could be either 
in the form of a cash refund to the purchaser or to a 
crediting of that purchaser account with another finan- 
cial institution. Similarly, it will be appreciated that the 
use of an ATM machine is not essentia^ as the dispos- ^5 
able credit cards or single use credit cards coufd be pur- 
chased in the normal way in which one purchases any 
other goods or services, such as either directly in a face- 
to-face transaction or by post. 

[0133] Similarly, while in the above it has been sug- 20 
gested that there could be single use credit cards that 
would be purchased, there is no reason why they could 
not be multiple transaction credit cards with an aggre- 
gate credit limit. Further, these cards could, instead of 
being credit cards, be simply credit card numbers for sin- 25 
gle or multiple use. it is, however, envisaged that for op- 
erational efficiency, these nurnbers are much more likely 
to be issued as disposable credit cards or single use 
credit cards. Thus, for those who do not wish to handle 
a credit card or whose credit worthiness is such that they 30 
would not be allowed to have a credit card, it will now 
be possible for them to have the use of a credit card. 
This would have considerable advantages for the credit 
card providers. 

35 

2.7 Additional uses of the credit card numbers 

[0134] in situations where the card-holder and card 
issuer are in communication and authentication - is re- 
quired of one or both parties, the list of limited-use card ^0 
numbers held by each party can used as a form of iden- 
tification. In the manner of a dynamic password all or 
part of a single limited-use number a sequence of such 
numbers could be used to identify either party without 
the need for issuing any additional security systems. 45 
Since this identification does not need to be handled by 
conventional transaction systems, all or part of a limited- 
use number can be used for this purpose. 
[0135J Fig. 9 is a flow chart illustrating an exemplary 
process for using a credit card number as a PIN number, so 
In step 902, a card issuer generates a database of avail- 
able credit card numbers. The card issuer selects a 
master credit card number (step 904) and distributes the 
master credit card number to a master credit card 
number owner. (Step 906). The card issuer then alio- 55 
cates additional credit card numbers to the master credit 
card number (step 908). and distributes the additional 
credit numbers to the master credit card number owner. 



(Step 910). When the master credit card number owner 
needs or desires to access account information (step 
912). the master credit card owner can use one of the 
additional credit card numbers as a PIN number. (Step 
914). 

[01 36J As can be readily seen, there are fundamental 
differences between the system of the present invention 
and any system that uses a PIN or other number (wheth- 
er constant or varying from transaction to transaction) 
to validate a transaction. In the present system the nu- 
merical details conveyed in the course of a transaction 
are identical rn format to an existing credit card number 
but no unique account code is included. This maximizes 
the security and privacy of a credit/debit/charge card 
transaction. Within the processing system the validity of 
the limited-use number is verified first and then the as- 
sociated account identified second by examining infor- 
mation stored with the limited-use number. With the 
transmission of an additional PIN or other number in ad- 
dition to the account number or other unique identifier, 
there is a lower level of security and privacy. Within any 
form of PIN identification (and as described by Rahman) 
the associated account is identified first and then the 
PIN verified after this step. For this reason many card 
holders can share the same PIN, indeed in most cases 
due to the short length of PIN codes many users do have 
identical PINs but different account numbers. For our 
system each limited-use number must be unique at the 
time of use and so the associated account can be 
uniquely identified. 

[0137] While the foregoing description makes refer- 
ence to particular illustrative embodiments, these exam- 
ples should not be construed as limitations. Not only can 
the inventive system be modified for other card num- 
bered systems; it can also be modified for other compu- 
ter networks or numbering schemes. Thus, the present 
invention is not limited to the disclosed embodiments, 
but is to be accorded the widest scope consistent with 
the claims below. 



Claims 

1 . A method for implementing a limited-use credit card 
system, the method comprising: 

allocating a limited-use credit card number; 

associating the limited-use credit card number 
with a customer account number and a set of 
conditions; 

issuing the limited-use credit card number; 

detecting a transaction using the limited-use 
credit card numt)er; and 

processing the transaction in accordance with 
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the set of conditions associated with limited- prtses: 

use credit card number. mailing the limited-use credit card number to 

the user. 

2. A method as claimed in claim 1 further comprising 

the step of: 5 10. A method as claimed in any preceding claim further 

allocating additional limited-use credit card num- comprising: 

bers upon a customer request and/or an event trig- notifying the user about parameters of the lim- 

ger- ited-use credit card system. 



3. A method as claimed in claim 2 wherein the event io 
trigger is the use of more than a preset amount of 
limited-use credit card numbers. 

4. A method as claimed in any preceding claim where- 
in processing the transaction further comprises: ^5 

authorising or denying the transaction by com- 
paring the transaction to the set of conditions 
associated with the limited-use credit card 



5. A method as claimed in any preceding claim further 
comprising: 

30 

assigning another limited-use credit card 
number in response to deactivating the limited- 
use credit card number; and 



6. A method as claimed in any preceding claim further 
comprising: 

40 

maintaining a queue of available limited-use 
credit card numbers; and 

assigning the limited-use credit card number 
from the queue. 45 

7. A method as claimed in any preceding claim where- 
in issuing the limited-use credit card number com- 
prises: 

downloading the limited-use credit card 50 
number to a user. 

8. A method as claimed in claim 7 wherein the limited- 
use credit card number is encrypted prior to down- 
loading. 55 

9. A method as claimed in any preceding claim where- 
in issuing the limited-use credit card number com- 



11. A method as claimed rn claim 10. wherein the user 
is notified via e-mail. 

1 2. A method as claimed in any preceding claim where- 
in the parameters of the limited-use credit card sys- 
tem comprise records of limited-use and other card 
transactions. 

13. A method as claimed in any preceding claim where- 
in the parameters of the limited-use credit card sys- 
tem comprise use of the limited-use credit card 
number in a credit card transaction. 

14. A method as claimed in any preceding claim where- 
in the parameters of the limited-use credit card sys- 
tem comprise a number of limited-use credit card 
numbers available to the user. 

15. A method as claimed in any preceding claim where- 
in the set of conditions are defined by the user of 
the limited-use credit card. 

16. A method as claimed in any preceding claim where- 
in the set of conditions limits the use of the limited- 
use credit card number to a pre-defined user limit. 

17. A method as claimed in any preceding claim where- 
in the set of conditions limits the use of the limited- 
use credit card number to a particular merchant. 

18. A method as claimed in any preceding claim where- 
in the particular merchant is selected from a prede- 
termined list of merchants and/or category of mer- 
chants. 

19. A method as claimed in any preceding claim where- 
in the particular merchant is prearranged by the us- 
er. 

20. A method as claimed in any preceding claim where- 
in the set of conditions limits the use of the limited- 
use credit card number to a single transaction for a 
maximum transaction value for a single purpose. 

21. A method as claimed in any preceding claim where- 
in the set of conditions limits the use of the limited- 
use credit cad number to a set number of transac- 
tions for a maximum transaction value within a set 
time. 



number; 20 

determining whether a limited-use event has 
occurred: and deactivating the limited-use 
credit card number based on the limited-use 
event and/or the set of conditions associated 25 
with timited-use credit card number. 



associating said other limited-use credit card 35 
number with the customer account number. 
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22. A method as claimed in any preceding claim where- 
in Ihe set of conditions limits the use of the limited- 
use credit card number to a single purpose. 

23. A method as claimed in any preceding claim where- 
in the set of conditions comprise at least one of the 
group consisting of transaction value conditions, 
time of transaction conditions, number of transac- 
tions conditions, frequency of transactions condi- 
tions, and purpose of transaction conditions, mer- 
chant type conditions, and geographical conditions. 

24. A method as claimed in any preceding claim further 
comprising: 

dispensing a credit card containing the Itmit- 
ed-use credit card number. 

25. A method as claimed in claim 24 wherein an auto- 
mated teller machine dispenses the credit card. 

26. A method as claimed in claim 24 or 25 wherein dis- 
pensing the credit card comprises: 

printing out an indication of the limited-use credit 
card number for delivery to the user. 

27. .A method as claimed in any preceding claim com- 
prising: 

dispensing the limited-use credit card number to the 
user via a telecommunications system. 

2B. A method as claimed in claim 27 wherein the tele- 
communications system comprises a pager 

29. A method as claimed in claim 27 wherein the tele- 
communications system comprises a mobile 
phone. 

30. A method as claimed in any preceding claim further 
comprising: 

initialing the transaction using the limited-use credit 
card number via the telecommunications system. 

31. A method as claimed in claim 30 wherein the tele- 
communications system comprises a pager. 

32. A method as claimed in claim 30 wherein the tele- 
communications system comprises a mobile 
phone. 

33. A computer program comprising program instruc- 
tions for causing a computer to perform the method 
of claim 1 . 

34. A computer program according to claim 33 embod- 
ied on a recordable medium. 

35. A computer program according to claim 33 stored 
in a computer memory. 



36. A computer program according to claim 33 embod- 
ied in a read-only memory. 

37. A computer program according to claim 33 carried 
on an electrical carrier signal. 

38. A computer program according to claim 33 carried 
on an optical carrier signal. 
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Fig. 3 
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